Generally, since a database stores data of plural users, an access control mechanism of the database controls which user can register, refer to, update or delete which piece of data. In the following, registration, reference, update and delete are collectively referred to as “access to a database”. For example, in the access control mechanism, access control is performed such that a user B cannot access data of a user A and the user A cannot access data of the user B.
As an access control method of the database, there is a previously known method in which a user who tries to access data is identified by comparing authentication information such as a pair of a user ID and a password that are passed to the database by the user with authentication information registered beforehand in the access control mechanism of the database, and next, whether to give permission to access each piece of data is determined based on an access control list in which accessible data are set for the identified user.
This is a method that is used in many existing databases. In SQL 92 that is a standard language for accessing databases, a grant sentence and a revoke sentence are defined for adding and deleting access authority information in the access control list so as to add or cancel access authority to data for a user.
The above-mentioned access control method is applied to a case in which only users who store data in the database access the database. On the other hand, as an example different from that, there is a method in which a proxy agent (a proxy process server) instead of a user who stores data in the database accesses the database. This method is performed by the user requesting the proxy agent to access the database. This method is performed in a case, for example, where the proxy agent provides a function for processing data, and the user has the proxy agent process data stored in the database so that the user receives a process result.
A matter that should be considered when the proxy agent as a proxy of the user accesses the database is that the proxy agent should access the database based on access authority of the user who is a client. For example, when a user A requests a proxy agent to access a database, access control should be performed such that the proxy agent can only access data which the user A is permitted to access. That is, there should not be a case where, in spite of a request by the user A, the proxy agent accesses data of the user B that are not permitted to be accessed by the user A and returns the data to the user A. An event in which a proxy agent accesses a database based on access authority of a client user is called a transfer of access authority from the user to the proxy agent.
As the simplest one of the access control methods that satisfies the above-mentioned condition, there is a method in which a user passes own authentication information such as a user ID and a password to a proxy agent for accessing a database so that the proxy agent accesses the database with the authentication information to obtain data of the user.
Another method uses digital signature technology and encrypted communication technology for determining whether a transfer of access authority to the proxy agent by the user is valid by using a digital certificate, a digital signature, encryption and a unidirectional function (for example, refer to document 1: Japanese Laid-Open Patent Application No. 2001-101054; document 2: Japanese Laid-Open Patent Application No. 2002-163235).
However, there is the following problem in the method in which the user passes the own authentication information to a proxy agent and the proxy agent accesses a database by using the authentication information. Generally, the proxy agent is an entity of a third party different from the user; thus, the user cannot necessarily trust the proxy agent. Therefore, for example, if a user A passes authentication information such as a user ID and a password to the proxy agent, there is a possibility that the proxy agent will perform a malicious process in which the proxy agent holds the authentication information in its inside, so that the proxy agent disguises itself as the user A by using the held authentication information when a user B, which is another user, accesses the database so as to allow the user B to access the data of the user A that the user B is not permitted to access.
In addition, in the method for determining the transfer of the access authority and the like by using digital signature technology and encryption communication technology, it is necessary to perform complicated processes such as producing the digital certificate, producing the digital signature, encryption and the unidirectional function. In addition, it is necessary to perform several steps of exchanging key information and authentication information and the like between the user, the proxy agent and the database. In addition, these methods are used only for a system for transferring access authority, and even though the method is used, it is not ensured that a result of accessing the database based on the transferred access authority is returned with reliability to the user who has transferred the access authority. Therefore, this method is not appropriate for applying to the proxy agent that the user requests to access a database.